Bug 10635 - Office365 azure Password Sync not working
Summary: Office365 azure Password Sync not working
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.3
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-27 13:58 UTC by Michael Schobel-Thoma
Modified: 2023-02-03 10:32 UTC (History)
8 users (show)

See Also:


Attachments
Event ID 611 Log (3.33 KB, text/plain)
2020-03-05 13:41 UTC, Khader Welaye
no flags Details
Patch for Samba 4.18 including WHATSNEW (107.63 KB, patch)
2023-02-01 00:11 UTC, Andrew Bartlett
metze: review+
Details
Patch for Samba 4.17 including Release note (106.79 KB, patch)
2023-02-01 00:12 UTC, Andrew Bartlett
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Schobel-Thoma 2014-05-27 13:58:53 UTC
OS: Ubuntu 14.04 - MS Azure Password Sync to Office 365.

When I start the sync in samba log appears a kerberos WRONG PARAM Error and Azure is logging the following:

Password synchronization failed for domain: domain.com. Details: 
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
  at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Comment 1 Tommie Van Mechgelen 2015-05-05 14:59:49 UTC
Hi,

I am experiencing the same problem when using DirSync with Azure/Office 365.  I am currently running Samba 4.2.1 compiled from source.

Are we missing some RPC calls to have this working in Samba?

Password synchronization failed for domain: domain.com. Details: 
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
Comment 2 tf 2016-03-22 14:47:21 UTC
Same problem with a uptodate samba on a archlinux box.

What is needed to get ad azure sync working on samba?

Best regard

Torsten Fohrer
Comment 3 Alex MacCuish 2016-09-03 10:40:51 UTC
The new AAD Connect gives me the following error:

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9.<RetrieveObjectChangesFromAD>b__3(IDrsConnection c)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9.<RetrieveObjectChangesFromAD>b__3(IDrsConnection c)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
Comment 4 Andrew Bartlett 2016-09-03 10:43:03 UTC
Please retry with Samba 4.5, as we fixed ReplicateSingleObject for that release.
Comment 5 Michal Dejmek 2016-09-20 09:50:38 UTC
The same bug in version 4.5.0.
Comment 6 Khader Welaye 2020-03-05 13:35:08 UTC
I know this bug has been open for a long time, but Password Hash Synchronization in Azure AD Connect is still broken. AADConnect event logging shows the following:

RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges.

In Windows Server AD environments, this error is usually caused by missing Replicating Directory Changes / Replicating Directory Changes All permissions on the AAD sync service account, which is not the case here.

Setting the AADConnect Sign On method as Pass-through authentication instead is a usable workaround (where sign-in requests are passed back down to the DC instead of using the synced Password Hash in AAD). Password Hash Sync is preferable, since it would continue to provide sign on services if either the DC or the server hosting AADConnect went down.

OS: Zentyal Server Development Edition 6.1 (Based on Ubuntu)
Samba: 4.7 (Version included with distribution)

Looking up this issue online in various threads, Samba 4.8 is the latest version I've heard people report on this issue with. Please let me know if I can provide more information regarding this. I am assuming this issue still exists as of Samba 4.12, as I didn't see anything related in the change logs, but I haven't been able to test.
Comment 7 Khader Welaye 2020-03-05 13:41:00 UTC
Created attachment 15842 [details]
Event ID 611 Log

I thought I'd shove this in a text file instead of taking up more thread space.
Comment 8 Andrew Bartlett 2020-03-31 08:48:16 UTC
(In reply to Khader Welaye from comment #6)
Testing with a modern version would be the first step towards getting any resolution here.
Comment 9 heupink 2020-10-17 10:01:11 UTC
Using the microsoftś latest method "Azure AD Connect cloud provisioning" (Preview) with 4.12.8-SerNet-Debian-8.buster, we are getting this:

An on-premises agent reported errors in attempting to read the entry with this identifier: faa071f5-5924-4cd3-8f8e-0afc599b919b. [2020-10-17T09:48:20.8040421Z](92) Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.PasswordEnumerator.<>c__DisplayClass8_1.<RetrieveSingleObject>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordEnumerator.RetrieveSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.TryFetchPasswordDataForSingleObject(Guid objectGuid, Func`2 translationFunction, Resource& resource) at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.AggregatePasswords(Guid objectGuid, IList`1 aggregate)

Next I will try to to get a level 10 debug log from this DC while this error occurs.
Comment 10 heupink 2020-10-17 11:53:00 UTC
Another observation: samba is running with continuous high CPU usage (50-60%) while the Azure AD Connect cloud provisioning server is running.
We shutdown the server, and CPU usage returns to normal (below 10%)
Comment 11 Ralph Böhme 2020-10-17 12:40:19 UTC
We've recently looked into this and the problem is that the Azure sync client is not able to replecate ceratin secret attributes including the passwords.

The reason for this is that basically the Samba DRSR RPC service doesn't correctly honor directory ACLs that would grant the required rights, instead it restricts the right to connected (RO)DCs.

To fix this someone has to dig into this and implement the correct security checks. I have a WIP patch but it's going to take at least a week or two of effort to write tests that teach us the correct behaviour of a Windows DC and then implement this in Samba.
Comment 12 Ralph Böhme 2020-10-19 09:57:40 UTC
(In reply to Ralph Böhme from comment #11)
Fwiw, using an account who's member of domain admins will also work.
Comment 13 heupink 2020-10-19 15:42:57 UTC
Really are you sure? We are running with a domain admin account configured in the Azure AD Connect cloud provisioning, and we're getting:

An on-premises agent reported errors in attempting to read the entry with this identifier: ce41b509-746c-45b1-8886-4f203c60. [2020-10-18T12:47:01.9891903Z](28) Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges
Comment 14 Ralph Böhme 2020-10-19 15:52:05 UTC
(In reply to heupink from comment #13)
Hm, this looks totally different from what we've been seeing in very specific test setup with a Windows 2008R2 DC (at schema level 2012) and a Samba DC.
Comment 15 heupink 2020-10-19 16:01:27 UTC
I understand correctly that you ran your azure sync *ON* that Windows 2008R2 DC? Reading the microsoft docs, I understand this is not required. We are testing with a windows 2016 (domain member) server, NOT a DC.
Comment 16 Ralph Böhme 2020-10-19 16:18:49 UTC
(In reply to heupink from comment #15)
No, this was the DC we replicated from. This was used in an deliberate attempt to be able to compare replication between comparable Windows and Samba DCs, both being at at the same schema and functional level asf.

The Azure sync client was installed on a Win 10 box iirc.
Comment 17 Björn Jacke 2020-10-19 18:34:09 UTC
heupink: I think you are reporting a problem here that the initial bug report was not about. You mentioned "Azure AD Connect cloud provisioning (Preview)". Do you agree, that this is a different topic? If yes, please keep this bug report on the topic it was about. If you have a different issue with a new Azure software, please file a new bug.
Comment 18 heupink 2020-10-20 09:16:47 UTC
I considered this ticket to be on password hash synchronisation to Azure / O365. Through the years microsoft had different tools to do this job, the latest one being "cloud provisioning" server. And actually: I think the tool that the ticket originally was about (DirSync) is no longer supported by microsoft.

But all these tools seemed to run into the same/similar issue: RPC Error 8420 : The naming context could not be found.

Therefore I assumed that our finding are the same, or at least related or relevant.

On the mailinglist there seem to be very few (if any, recent) success-stories. 

However, reading Ralph Böhme's comments, it seems that perhaps it *is* supposed to work after all. So for now, I will start by putting more efforts into making it work here. Perhaps I'll first also test with a native microsoft AD DC.
Comment 19 heupink 2020-10-21 10:07:48 UTC
(In reply to Ralph Böhme from comment #12)

I just tried installing the (traditional, older style) Azure AD Connect with an account from the "domain admins" group, and it seems that is no longer supported:

https://docs.microsoft.com/nl-nl/azure/active-directory/hybrid/reference-connect-accounts-permissions:

"As of build 1.4.###.# it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error."

They installer will instead offer to create an account for you, and that is probably where this samba limitation becomes problematic: "DRSR RPC service doesn't correctly honor directory ACLs that would grant the required rights" (Ralph Böhme in comment #11)
Comment 20 Ralph Böhme 2020-10-21 10:15:55 UTC
(In reply to heupink from comment #19)
You can use any account and make it a member of domain admins.
Comment 21 Andrew Bartlett 2020-10-23 18:19:17 UTC
(In reply to heupink from comment #19)


I understand why they do it but is (from a security perspective) making people feel safer than they really are, as a user who can download password hashes (kerberos keys) for servers and krbtgt is a Domain Admin essentially anyway.
Comment 22 Andrew Bartlett 2022-12-16 00:55:33 UTC
I'm working on a fix for the reported GetNCChanges error.  There may still be other issues, but this much I will fix.
Comment 23 Samba QA Contact 2023-01-31 13:44:03 UTC
This bug was referenced in samba master:

2c7bb58703c1fa26782ac6959ea7d81fccf3905c
bee45e6b29b97e0cab19a9c3cf692d9a7585a717
a150a2dcb1fc7fc7f606838de17ad4d3e6072bda
3204d1350b21704474e577cb5f3f2439b673c421
70faccae6d595056174af8d63b3437c9fe3805aa
539221dda33f03a1abf5ee5f3153db0fe1a9bfe6
7c43388576f768db564aaf15a47d3f9ce5796fb3
7032b86cd5c1456318558ed95f8890e353117ced
d0444be4b74bdad6a731bc5fcf86da6142b03539
0f501b2316af6568003e520848c1ec80c286fd36
8e1122420efd11a91aa1c5d60c0cc8fd9ffaf157
e96dfc74b3ece40fe64a33aa8b8d810b576982bd
aee2039e63ceeb5e69a0461fb77e0f18278e4dc4
73f3ece8b2b44ac4b3323a08fb969f29bf2b0380
cbe18353d8d7b2a35b965e4fc8c895ac497e67e8
d5a2af3feae98057ba29de444d308d499d633941
adb776149e5ac0eb346992775610627106e1a986
09ec6a1db2d3b831548bf7d66475c486be29b1d1
115a3a10440f44ba11029be5ae3a05534a7b98c0
1838f349c94b878de1740af35351a2e8e0c8cffb
0f2978bbc0ed5b65d75c20472650a749643312e7
Comment 24 Andrew Bartlett 2023-02-01 00:11:25 UTC
Created attachment 17744 [details]
Patch for Samba 4.18 including WHATSNEW
Comment 25 Andrew Bartlett 2023-02-01 00:12:38 UTC
Created attachment 17745 [details]
Patch for Samba 4.17 including Release note
Comment 26 Jule Anger 2023-02-01 17:12:05 UTC
Pushed to autobuild-v4-18-test.
Comment 27 Samba QA Contact 2023-02-01 17:27:03 UTC
This bug was referenced in samba v4-18-test:

d0c2305b35af0c39cfababbd2e3c5302047bb6aa
501728cdcfed2289a5f04c66114b06278299966a
11540d828f79db72423550fb610e914579ce3ceb
7712ef7288aae848dee1d4cc4346585cb2405499
a40d3697e1a72d6985ca15a4236fbcc1a1322387
87ed6e23061293c470022152ac0b20a73f5ce022
f70fd3385f331c7430e1e16869cdeba9619a10f0
92f56081291183bb9af084fc9576e6a13ca7eaed
855c11c41460cadc28cfa7562020c2ab19af4958
ab282dba3761d6dc8be3345daf61455571b4b1bf
feffb9ec5dfed472b92ba8879e74b19dd0381c55
1a97e897f860e95e3f512fc0ee92b255c7496079
84a952b01eeff32b70d71de48751d7f910bfea64
64df0963f8c8f7e6f203780c5d2dbb61b749a439
613d9b75499822be4a870fd78900922be779a638
29a89f07aa7b167adea921fd583b3b93ae0695f9
dc7497c3a4681c96fdf71e82db1b93e21214cc19
68edd5c1c7f0e6cbd929cd592b79f89cb2c8369f
262fef5acbff53e6a4e8cc654ddf1ce7accc9e20
68fcea19bd03d96f3ecfbcf1cdcaa39097ee401a
c9b7fd177d4ec4589712f8acf6f084f650b95a5e
Comment 28 Samba QA Contact 2023-02-01 17:42:34 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.0rc2):

d0c2305b35af0c39cfababbd2e3c5302047bb6aa
501728cdcfed2289a5f04c66114b06278299966a
11540d828f79db72423550fb610e914579ce3ceb
7712ef7288aae848dee1d4cc4346585cb2405499
a40d3697e1a72d6985ca15a4236fbcc1a1322387
87ed6e23061293c470022152ac0b20a73f5ce022
f70fd3385f331c7430e1e16869cdeba9619a10f0
92f56081291183bb9af084fc9576e6a13ca7eaed
855c11c41460cadc28cfa7562020c2ab19af4958
ab282dba3761d6dc8be3345daf61455571b4b1bf
feffb9ec5dfed472b92ba8879e74b19dd0381c55
1a97e897f860e95e3f512fc0ee92b255c7496079
84a952b01eeff32b70d71de48751d7f910bfea64
64df0963f8c8f7e6f203780c5d2dbb61b749a439
613d9b75499822be4a870fd78900922be779a638
29a89f07aa7b167adea921fd583b3b93ae0695f9
dc7497c3a4681c96fdf71e82db1b93e21214cc19
68edd5c1c7f0e6cbd929cd592b79f89cb2c8369f
262fef5acbff53e6a4e8cc654ddf1ce7accc9e20
68fcea19bd03d96f3ecfbcf1cdcaa39097ee401a
c9b7fd177d4ec4589712f8acf6f084f650b95a5e
Comment 29 Andrew Bartlett 2023-02-01 17:48:31 UTC
(In reply to Andrew Bartlett from comment #25)
Sorry for any confusion, this is the 4.17 patch.
Comment 30 Jule Anger 2023-02-03 09:41:54 UTC
(In reply to Andrew Bartlett from comment #29)
Pushed to autobuild-v4-17-test :-)
Comment 31 Samba QA Contact 2023-02-03 10:29:04 UTC
This bug was referenced in samba v4-17-test:

00d1f6223f2b13c46d061c58ab944f4459c4eed0
a81be07598363ce778482eeecd429c83278dd936
2cb965046b88a7755369dd5c48809d7c76929d7e
b0bbea3fdcdbca0629cbb2f12b5378b8ba7ac423
fcc25f6baf8be5b0c9171a7f4e3ac87f66532c67
f6ebb660e545caad452620394debbc12547bba71
fedd276dbf1f792fe27eed6165b21aea4764718d
24adeb3ad11c693aefbbea25570527cc87cd977d
4413c277ef09dfba6d9d69bfa2886402bcc5c369
deac11ab428b73a712da15f55be135f2741be14d
96adf5afc01ee07f2b9ecd2415c6bda5d7e1ff1a
85cc464195bf9cf70159d113f33582af02ac6614
7c32d3d75aa31b868527d992e08e8d63fc76faac
764702f788c3b59d1f9b21a8deec4fe37f680c1a
a78c2094ff503b775688dd46dc48ccf8f0934f09
bcb89bd81d4e51fbd06e205816e0b891dc0c1889
fba94e5d50433e8869e72d0ae2bb68fa2abab03e
be0cb18920243a422fe5bd77bb9ce241e71b4b62
dee9067386531241846680e50dc892cc906b0a07
c7658589fa53a7905678361409341a916b0d41f5
cee7ecee5caea78beae099cbde4f34c7c0c663b7
Comment 32 Jule Anger 2023-02-03 10:32:45 UTC
Closing out bug report.

Thanks!